Policies.life is a personal tool that helps you view your insurance policies by scanning your Gmail for policy documents. We are committed to keeping your data private and under your control.
We do not sell, share, or monetize your data in any way. Your policy information is encrypted and accessible only with your vault key.
Information We Access
When you sign in with Google, we request the following permissions:
Gmail (read-only) — We search your inbox for insurance-related emails using specific search terms (e.g., "health insurance", "car insurance", "term life"). We only read email metadata (subject, sender, date) and download PDF attachments from matching emails. We cannot modify, delete, or send emails.
Email address — Used to identify your account and associate your policies with your session.
Basic profile info — Your name, used to greet you in the app.
How We Process Your Data
Email metadata (subject lines, sender, date) is sent to an AI model (Grok by xAI) to determine which emails are actually insurance policies vs. marketing/newsletters.
PDF text from policy documents is sent to the same AI model to extract structured policy details (insurer, policy number, dates, premium amounts).
Triage results (whether an email is relevant or not, and why) are stored in plaintext in our database for performance — so we don't re-process the same emails.
Extracted policy data is encrypted with AES-256-GCM using a key derived from your vault password before being stored in the database.
Data Storage
Database: We use Turso (cloud SQLite) to store processing results. Sensitive fields (extraction details, policy information) are encrypted. Without your vault key, this data is unreadable.
Session: Your login session is stored in an encrypted cookie. It contains your email and name — no policy data.
OAuth tokens: Your Google OAuth refresh token is stored locally on the server to maintain Gmail access between sessions.
PDFs: Policy PDF files are downloaded temporarily to a local directory for text extraction. They are not uploaded to any external service — only the extracted text is sent to the AI.
Third-Party Services
Google (Gmail API) — For reading your insurance emails. Governed by Google's Privacy Policy.
xAI (Grok API) — For AI-powered email triage and policy extraction. Email subjects and PDF text are sent to their API for processing.
Turso — Cloud database for storing encrypted processing results.
Your Vault Key
Your vault key is the password used to encrypt and decrypt your policy data. It is:
Never stored in the database, cookies, or anywhere on the server
Only held in memory during an active refresh operation
Used to derive an AES-256 encryption key via PBKDF2 (100,000 iterations)
Verified via a one-way hash — we can tell if you entered the wrong key, but we cannot recover the right one
If you forget your vault key, your cached data cannot be recovered. You can still do a fresh refresh with a new key.
Data Retention
Cached processing results remain in the database until you do a new refresh (which replaces them).